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Introduction 

We propose to analyse quantum protocols by apply- 
ing the formal verification techniques developed in 
classical computing for the analysis of communicat- 
ing concurrent systems. Typically, the first step in 
formal verification is to define a model of the sys- 
tem to be analysed, in a well-founded mathematical 
notation. Experience has shown that this step in 
itself is a valuable way of eliminating ambiguities 
from an informal description of the system. Next, 
an automated analysis tool, based on the same un- 
derlying theory, is used to reason about the system. 
This might consist either of checking that the system 
is behaviourally equivalent to another system which 
is viewed as a specification, or of checking that the 
system satisfies properties expressed in a separate 
specification language. 

One area of successful application of these tech- 
niques is that of classical security protocols 1 16 , ex- 



emplified by Lowe's JL2| discovery and fix of a flaw 
in the well-known Nccdham-Schroeder authentica- 
tion protocol which had been proposed several years 
previously. Secure quantum cryptographic protocols 
are also notoriously difficult to design: although pro- 
tocols for quantum bit-commitment Q were believed 
to be secure for several years, it has recently been 
shown not only that such protocols are insecure, but 
that secure quantum bit-commitment is impossible 
]To| |l3| . Quantum cryptography is therefore an ob- 
vious and interesting target for formal verification, 
and provides our first example; we expect the ap- 
proach to be transferable to more general quantum 
information processing scenarios. 

Our example is the quantum key distribution pro- 
tocol proposed by Bennett and Brassard Q, com- 
monly referred to as BB84. We present a model 
of the protocol in the process calculus CCS Q and 
the results of some initial analyses using the Concur- 
rency Workbench of the New Century (CWB-NC) 
[pl. Similar work could be carried out with other 
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combinations of modelling language and toolset, 
such as CSP § and FDR @, or Promela and SPIN 
1- 

Proofs of unconditional security of the BB84 
protocol exist |l4|, [ll[] and we have no reason to 
doubt their correctness. Nevertheless, we argue that 
the modelling/analysis approach has merit for the 
study of this and other quantum security protocols. 
Gottesman and Lo § point out that "the proof of se- 
curity of QKD is a fine theoretical result, but it does 
not mean that a real QKD system would be secure. 
Some known and unknown security loopholes might 
prove to be fatal. Apparently minor quirks of a sys- 
tem can provide a lever for an eavesdropper to break 
the encryption" . The analysis techniques which we 
are proposing can be applied to models at a range 
of levels of abstraction, from an idealised description 
to a concrete implementation. Moreover, a real sys- 
tem for security in information processing has com- 
ponents other than key distribution — authentication 
or authorisation, for example. In the future, some 
of these components may be quantum, but others 
could still be classical. We should be able to apply 
our methods in a uniform fashion to various com- 
ponents and their interactions and thus provide cer- 
tification of complex systems. Finally, the analysis 
tools are oriented towards debugging: if a desired 
property is not satisfied, then their output enables 
us to understand the reason. 

Modelling BB84 

We use a version of the BB84 protocol in which Al- 
ice reveals the polarisation basis she used for each 
photon as soon as the photon is received and mea- 
sured by Bob. The CCS model is based on processes 
and actions, both of which may be parameterised. 
In this particular model, all parameters are binary 
valued. 

The quantum communication channel is modelled 
by a pair of processes: Empty and Full. The ac- 
tion put(d, b) indicates that it is possible to send a 
bit d into the channel; the bit is encoded with re- 
spect to one of two polarisation bases, represented 
by another binary parameter b. A process which ac- 
tually sends data into the channel will contain the 



complementary action put with a particular choice of 
parameters. The dot stands for sequencing, so that 
the Empty channel becomes Full after receiving the 
data. 

Empty = put(d,b).Full(d,b) 

A Full channel allows an observer to measure its con- 
tents with respect to a particular basis; the channel 
then uses the action get to release a binary value, 
and becomes Empty. If the basis used for the mea- 
surement is different from the basis which was orig- 
inally used to encode the transmitted bit, then the 
value released by the channel may be either or 
1. The + operator indicates nondeterminism. Note 
that we are only modelling possibilities, not prob- 
abilities. Modelling languages and analysis tools 
for probabilistic systems are available, for example 
PRISM ||. Probabilistic modelling and reasoning 
about quantum protocols is an area for future work. 

Full(d,b) — measure(b'). 

if b' = b then get (d). Empty 

else (get (0). Empty + get(l). Empty) 

Alice and Bob interact with the channel via the ac- 
tions put, measure and get. The actions go, ~go are 
used for additional synchronisation, so that Alice 
does not choose and put repeatedly before Bob has 
finished processing what he received; this facilitates 
later analysis. 

Alice = choose(x). (put (x,0). reveal (0). go. Alice + 
put(x, 1) .reveal(l) .go. Alice) 
Bob — mMsure (0).get(x).( reveal (b). if b = 
then keep (x).~go. Bob else Tjo.Bob) 
+ measure(l) .get(x) .(reveal(b) .if 6=1 
then keep (x).~go. Bob else ~go.Bob) 

The complete protocol, without an eavesdropper, 
consists of the parallel composition (operator |) of 
Alice, Bob, and an Empty channel. The operator 
\{put, get, measure, go, reveal} indicates that these 
actions, and their complements, are hidden; they 
are used for internal interaction, but are not visible 
outside. Parallel composition means that individual 
processes run independently, only synchronising on 
actions and their complements. For example, Alice's 
put must synchronise with the put in Empty. This 
means that Alice cannot do reveal, synchronising 
with Bob, until after Bob has done get; Alice has 
to wait. 

BB84 = (Alice\Bob\Empty)\ 

{put, get, measure, go, reveal} 



An eavesdropper Eve can be modelled similarly, al- 
lowing us to define the attacked protocol BB84' '■ 
This particular eavesdropper simply guesses a ba- 
sis, then measures, extracts and returns the sent bit. 
More generally, following a standard approach to the 
analysis of classical security protocols, we could con- 
sider an eavesdropper who arbitrarily attempts to 
use any actions with any parameters derivable from 
information available to her. 

Eve = measure(0) . get(x) .put(x , 0).Eve 
+ measure(l) . get(x) .put(x , I). Eve 
BB84' = (Alice\Bob\Eve\Empty)\ 

{put, get, measure, go, reveal} 

The process Spec can be viewed as a specification of 
the protocol in the absence of an eavesdropper. Spec 
is a description of how the protocol should behave: 
Alice chooses and sends a sequence of bits some of 
which Bob can discard (when polarisation bases do 
not match) but whenever he keeps a bit it is the same 
as what Alice sent. This results in the generation of 
a sequence of bits common to both parties — the key. 

Spec — choose (x). (Spec + keep (x). Spec) 
Analysing BB84 

Using the tool CWB-NC, we have established that 
BB84 is equivalent to Spec and that BB84' is not 
equivalent to Spec. "Equivalent" refers to trace 
equivalence, which means equality of the set of pos- 
sible sequences of observable actions. The tool dis- 
covers that choose(0)keep(l) is a trace of BB84' 
but not of Spec. This trace arises from an execu- 
tion in which Bob measures with the correct ba- 
sis but Eve has already corrupted the channel by 
measuring with the wrong basis. Alternatively, the 
property ((choose(0))) ((keep '(1))) true (expressed in 
the modal /i-calculus) specifies that a process may 
choose and end up keeping 1. CWB-NC establishes 
that BB84 does not satisfy this property, whereas 
BB84' does. This shows the possibility of inter- 
ference by Eve. Note that once the processes and 
properties have been defined, CWB-NC carries out 
verification automatically and without human inter- 
vention. 

Conclusions and Future Work 

We have introduced techniques for formally mod- 
elling and analysing quantum protocols. As far as 
we are aware, this the first proposal to use formal 
modelling and analysis in the field of quantum in- 
formation processing. As a specific demonstration, 



we have modelled components of the BB84 protocol 
in CCS, and analysed the model with the CWB-NC 
tool. 

Future work will include the development of a 
framework based on our initial investigation, for de- 
tailed analysis of quantum information systems. We 
are already considering tools that enable us to in- 
corporate probabilities into our model and we will 
also include methods to reason about errors and 
error-correction. We aim to be able to generalise 
the model of the attacker, in order to analyse collec- 
tive or coherent attacks, for example. The modelling 
of entanglement-based quantum key distribution [Q , 
other quantum cryptographic protocols and quan- 
tum communication protocols is another goal. 

An alternative approach, which we also plan 
to investigate, is to use machine-assisted theorem- 
proving technology to formalise conventional proofs 
about quantum systems, such as the unconditional 
security proofs. 

Quantum cryptography is already viable and pro- 
totype implementations are being seriously consid- 
ered. If verification efforts are begun early and pro- 
ceed in tandem with implementations, the resulting 
systems are likely to be highly secure. 
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